In communications systems such as those employing TCP/IP, data is transferred between end users via packets having a header which includes source and destination addresses. In a well behaved system the source and destination addresses allow a network user to communicate with and retrieve information from a server over the Internet. In the present description network users employ network devices which may be included in a local area network (LAN).
In recent years, malicious users of Internet services have been known to temporarily disrupt or even shut down Internet sites. This is typically done by taking advantage of inherent characteristics in the TCP protocol. For example, TCP uses a three-way handshaking protocol on connection set up. The handshake includes an acknowledgement message from the server to the user and one from the user to the server which confirm receipt of a message. An attacker is able to use a false source address (known as spoofing) which means that the server is unable to complete the acknowledgement portion of the protocol handshake. The server holds or stores incomplete or half opened connections for a period of time. During that time interval the attacker can flood the server and ultimately take the server out of service.
Similarly, an attacker wishing to disrupt an end user such as a user of a local area network can flood the LAN with multiple messages each having a phony or spoofed source address. Such an attack is known as a denial of service (DOS) attack which, ultimately, can shut down or deny service to the local area network.
Generally speaking a denial of service attack involves blocking a network user's ability to use some of the services provided by the network. DOS attacks are common across the Internet with many being launched daily at various targets. Many of the attacks involve specially constructed packets designed to either take advantage of flaws in the software or to tie up resources within devices. The biggest obstacle in reacting to packet flooding attacks is the ability of the attacker to spoof i.e. disguise the source address of the packets.
In the prior art, solutions have been proposed to mitigate the effect of computer viruses which search networks for vulnerable hosts. In a particular solution which is described, by Williamson M. M., in an article entitled “Throttling Viruses: Restricting propagation to defeat malicious mobile code”, (Jun. 17, 2002) packets with unknown destinations or hosts i.e. destinations or hosts that haven't been seen before, are subject to a series of timeouts that limits the rate of connections. This solution is host based using a mechanism designed to slow worm propagation. The above described solution examines the destination or host rather than the source addresses of packets and is not specifically designed to be network based.
Another prior art related to this invention has been presented by T. Peng, C. Leckie and K Ramamohanarao in an article entitled “Protection from Distributed Denial of Service Attack Using History-based Filtering” (to be presented May 14, 2003 but available earlier on the Internet). This solution is based on the notion of “good” and “unknown” source addresses. Under normal condition, their solution examines the source addresses of all IP packets. They keep the source addresses of all packets which appear more than k times (for some constant k). They also keep the source addresses of all packets which appear in at least d of the last n days (for some constants d and n). The source addresses fulfilling at least one of these two conditions define the “good” packets. Once a high-level network utilization that leads to packets being dropped is observed, this solution blocks any packets which do not have “good” source addresses. One major flaw of this approach is that it is effective only after that a high bandwidth attack has been detected—therefore, an independent detection mechanism has to be provided. This may be useless for low bandwidth attack like the TCP SYN flood attack. Another flaw of this approach is to partition the source addresses into only two categories.